mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-01-31 07:43:27 +08:00
fix missing -
This commit is contained in:
Dhiyaneshwaran
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
The term "pexec" typically refers to the "privileged execution" of a command or program.
|
||||
reference:
|
||||
https://gtfobins.github.io/gtfobins/pexec/
|
||||
- https://gtfobins.github.io/gtfobins/pexec/
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 3
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
DNS is recommended to be configured over TLS. This prevents intermediate parties and potential attackers from viewing the content of DNS queries and can also assure that DNS is being provided by the expected DNS servers.
|
||||
reference:
|
||||
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
|
||||
- https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||
cvss-score: 0
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||
- https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||
cvss-score: 0
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
PfSense Web Admin Management Portal is recommended to be accessible using only HTTPS protocol. HTTP transmits all data, including passwords, in clear text over the network and provides no assurance of the identity of the hosts involved, making it possible for an attacker to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||
- https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||
cvss-score: 0
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
PfSense password protection via the Console Menu is recommended to be configured. An unattended computer with an open Console Menu session can allow an unauthorized user access to the firewall management.
|
||||
reference:
|
||||
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||
- https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||
cvss-score: 0
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
PfSense Hostname should be set so that other devices on the network can correctly identify it. The hostname is a unique identifier for the device.
|
||||
reference:
|
||||
https://docs.netgate.com/pfsense/en/latest/config/general.html
|
||||
- https://docs.netgate.com/pfsense/en/latest/config/general.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||
cvss-score: 0
|
||||
|
||||
@@ -5,8 +5,8 @@ info:
|
||||
severity: info
|
||||
description: Detects Turla malware based on sample used in the RUAG APT case
|
||||
reference:
|
||||
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
|
||||
https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar
|
||||
- https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
|
||||
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar
|
||||
tags: malware,turla,apt,ruag
|
||||
|
||||
file:
|
||||
|
||||
@@ -6,8 +6,8 @@ info:
|
||||
description: |
|
||||
Detects malware by Chinese APT PLA Unit 78020 - Generic Rule
|
||||
reference:
|
||||
http://threatconnect.com/camerashy/?utm_campaign=CameraShy
|
||||
https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar
|
||||
- http://threatconnect.com/camerashy/?utm_campaign=CameraShy
|
||||
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar
|
||||
tags: malware,unit78020
|
||||
|
||||
file:
|
||||
|
||||
@@ -1,15 +1,22 @@
|
||||
id: sitecore-xml-xss
|
||||
id: CVE-2014-100004
|
||||
|
||||
info:
|
||||
name: SiteCore XML Control Script Insertion
|
||||
name: Sitecore CMS - Cross-Site Scripting
|
||||
author: DhiyaneshDK
|
||||
severity: medium
|
||||
description: |
|
||||
Sitecores “special way” of displaying XML Controls directly allows for a Cross Site Scripting Attack – more can be achieved with these XML Controls
|
||||
Sitecore CMS contains a cross-site scripting vulnerability via the "special way" of displaying XML Controls directly, which allows for a Cross Site Scripting Attack.
|
||||
reference:
|
||||
- https://vulners.com/securityvulns/SECURITYVULNS:DOC:30273
|
||||
- https://web.archive.org/web/20151016072340/http://www.securityfocus.com/archive/1/530901/100/0/threaded
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-100004
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2014-100004
|
||||
epss-score: 0.00385
|
||||
epss-percentile: 0.59034
|
||||
cwe-id: CWE-79
|
||||
cpe: cpe:2.3:a:sitecore:sitecore.net:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
verified: "true"
|
||||
@@ -17,7 +24,7 @@ info:
|
||||
vendor: sitecore
|
||||
product: sitecore.net
|
||||
shodan-query: html:"Sitecore"
|
||||
tags: xss,sitecore,cms
|
||||
tags: cve,cve2014,xss,sitecore,cms,vuln
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
@@ -39,4 +46,4 @@ http:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# digest: 4b0a00483046022100e1a5d9bb8833a1a078d73d226c6ea9da6b43c5e79eee307798007a40d6b4996d022100ae77daa481f74c23854134ef24a5c0864e3682f686e3ebd0d89f70563d3a2563:922c64590222798bb761d5b6d8e72950
|
||||
# digest: 4a0a00473045022100c97e57d30dceb78ef802a4f114eb2bbfcfe80edfc3eb1169e64483eeeda693bc02201c017e6a1dca8ada5d4394c93d1fdc9ab7d1a05127480852434075da10eb94c8:922c64590222798bb761d5b6d8e72950
|
||||
@@ -2,7 +2,7 @@ id: CVE-2015-6477
|
||||
|
||||
info:
|
||||
name: Nordex NC2 - Cross-Site Scripting
|
||||
author: geeknik
|
||||
author: geeknik,daffainfo
|
||||
severity: medium
|
||||
description: Nordex NC2 contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
impact: |
|
||||
@@ -14,27 +14,30 @@ info:
|
||||
- https://ics-cert.us-cert.gov/advisories/ICSA-15-286-01
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-6477
|
||||
- http://packetstormsecurity.com/files/135068/Nordex-Control-2-NC2-SCADA-16-Cross-Site-Scripting.html
|
||||
- http://seclists.org/fulldisclosure/2015/Dec/117
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
|
||||
cvss-score: 4.3
|
||||
cve-id: CVE-2015-6477
|
||||
cwe-id: CWE-79
|
||||
epss-score: 0.3338
|
||||
epss-percentile: 0.96688
|
||||
epss-score: 0.3474
|
||||
epss-percentile: 0.96816
|
||||
cpe: cpe:2.3:o:nordex:nordex_control_2_scada:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 1
|
||||
verified: true
|
||||
vendor: nordex
|
||||
product: nordex_control_2_scada
|
||||
tags: cve2015,cve,seclists,packetstorm,xss,iot,nordex,nc2
|
||||
shodan-query: http.title:"Nordex Control - Wind Farm Portal"
|
||||
tags: cve,cve2015,nordex,nc2,seclists,packetstorm,xss,iot,vuln
|
||||
|
||||
http:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/login"
|
||||
- raw:
|
||||
- |
|
||||
POST /login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
body: 'connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27{{randstr}}%27%29%3C%2Fscript%3E&pw=nordex&language=en'
|
||||
connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&pw=nordex&language=en
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
@@ -46,5 +49,10 @@ http:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert('{{randstr}}')</script>"
|
||||
# digest: 4a0a00473045022100931a43680b8786e206dccd77e69225a4fa3620429fb6435835b32ba4f90331f2022062f76ad7d3592c18ef5289a356efcb12e35e72f8200e80a2058cb984395a2c96:922c64590222798bb761d5b6d8e72950
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
- "var detailParams"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
@@ -2,38 +2,38 @@ id: CVE-2021-42565
|
||||
|
||||
info:
|
||||
name: myfactory FMS - Cross-Site Scripting
|
||||
author: madrobot
|
||||
author: madrobot,daffainfo
|
||||
severity: medium
|
||||
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
|
||||
description: |
|
||||
myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
|
||||
impact: |
|
||||
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
|
||||
remediation: |
|
||||
Upgrade to the latest version to mitigate this vulnerability.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-42565
|
||||
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
|
||||
- https://www.redteam-pentesting.de/advisories/rt-sa-2021-001
|
||||
- https://github.com/ARPSyndicate/cvemon
|
||||
- https://github.com/ARPSyndicate/kenzer-templates
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-42565
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-42565
|
||||
cwe-id: CWE-79
|
||||
epss-score: 0.0205
|
||||
epss-percentile: 0.83156
|
||||
epss-score: 0.01052
|
||||
epss-percentile: 0.76872
|
||||
cpe: cpe:2.3:a:myfactory:fms:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 2
|
||||
verified: true
|
||||
max-request: 1
|
||||
vendor: myfactory
|
||||
product: fms
|
||||
tags: cve2021,cve,myfactory,xss
|
||||
google-query: inurl:ie50/system/ intitle:"myfactory"
|
||||
tags: cve2021,cve,myfactory,xss,vuln
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
@@ -41,6 +41,8 @@ http:
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
- 'name="txtUID"'
|
||||
- 'function mOnLoad()'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
@@ -50,5 +52,4 @@ http:
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# digest: 490a0046304402203d874d44461470d3db2a6cff1f541f60124c6d4bf185b9af11ddaab53cc4621f022031646314735b62c3e0ce1efbb35d57a61b1920d04eb78d5d2def56e26f0ddf1b:922c64590222798bb761d5b6d8e72950
|
||||
- 200
|
||||
@@ -2,45 +2,46 @@ id: CVE-2021-42566
|
||||
|
||||
info:
|
||||
name: myfactory FMS - Cross-Site Scripting
|
||||
author: madrobot
|
||||
author: madrobot,daffainfo
|
||||
severity: medium
|
||||
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
|
||||
description: |
|
||||
myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
|
||||
impact: |
|
||||
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
|
||||
remediation: |
|
||||
Upgrade to the latest version to mitigate this vulnerability.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-42566
|
||||
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
|
||||
- https://www.redteam-pentesting.de/advisories/rt-sa-2021-001
|
||||
- https://github.com/ARPSyndicate/cvemon
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-42566
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-42566
|
||||
cwe-id: CWE-79
|
||||
epss-score: 0.0205
|
||||
epss-percentile: 0.83156
|
||||
epss-score: 0.01052
|
||||
epss-percentile: 0.76872
|
||||
cpe: cpe:2.3:a:myfactory:fms:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 2
|
||||
verified: true
|
||||
max-request: 1
|
||||
vendor: myfactory
|
||||
product: fms
|
||||
tags: cve2021,cve,myfactory,xss
|
||||
google-query: inurl:ie50/system/ intitle:"myfactory"
|
||||
tags: cve,cve2021,myfactory,xss,vuln
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%27%29%3Balert%28document%2Edomain%29%3B%2F%2F'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
- ';alert(document.domain);'
|
||||
- 'name="txtUID"'
|
||||
- 'function mOnLoad()'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
@@ -50,5 +51,4 @@ http:
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# digest: 4a0a00473045022100f4a74eb5e1a907294f4283c930ab7b6bcfb3c42048b2c4ddb6373817773c738202205b297f01ae71d684f0cd48148d4d793dcc2659447c51efa978ebd235add0c77f:922c64590222798bb761d5b6d8e72950
|
||||
- 200
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,and serve as a collaborative command and control platform for red teamers.
|
||||
reference:
|
||||
https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux.It is entirely written in Golang with a front end written in Vue.js.
|
||||
reference:
|
||||
https://twitter.com/MichalKoczwara/status/1551632627387473920
|
||||
- https://twitter.com/MichalKoczwara/status/1551632627387473920
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
|
||||
@@ -8,7 +8,7 @@ info:
|
||||
A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI.
|
||||
It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
|
||||
reference:
|
||||
https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
|
||||
@@ -4,9 +4,10 @@ info:
|
||||
name: OpenTSDB - Detect
|
||||
author: pussycat0x
|
||||
severity: low
|
||||
description: OpenTSDB stats exposed which is commonly used in monitoring and observability scenarios where tracking and analyzing the performance of systems, applications, and infrastructure over time is essential.
|
||||
description: |
|
||||
OpenTSDB stats exposed which is commonly used in monitoring and observability scenarios where tracking and analyzing the performance of systems, applications, and infrastructure over time is essential.
|
||||
reference:
|
||||
http://opentsdb.net/
|
||||
- http://opentsdb.net/
|
||||
classification:
|
||||
cpe: cpe:2.3:a:opentsdb:opentsdb:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
|
||||
@@ -8,10 +8,10 @@ info:
|
||||
Symfony servers support a "/_fragment" command that allows clients to provide custom PHP commands and return the HTML output.
|
||||
This template checks to see if they also use a popular default secret key for remote command execution.
|
||||
reference:
|
||||
https://portswigger.net/daily-swig/symfony-based-websites-open-to-rce-attack-research-finds
|
||||
https://medium.com/@m4cddr/how-i-got-rce-in-10-websites-26dd87441f22
|
||||
https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5
|
||||
https://github.com/ambionics/symfony-exploits
|
||||
- https://portswigger.net/daily-swig/symfony-based-websites-open-to-rce-attack-research-finds
|
||||
- https://medium.com/@m4cddr/how-i-got-rce-in-10-websites-26dd87441f22
|
||||
- https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5
|
||||
- https://github.com/ambionics/symfony-exploits
|
||||
metadata:
|
||||
max-request: 12
|
||||
shodan-query: http.html:"Symfony Profiler"
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Detect Sitecore Content Management System (CMS).
|
||||
reference:
|
||||
https://www.sitecore.com/
|
||||
- https://www.sitecore.com/
|
||||
classification:
|
||||
cpe: cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Detect Sitecore Content Management System (CMS) websites based on a redirect from the sitecore media handler URL pattern to the notfound.aspx page.
|
||||
reference:
|
||||
https://www.sitecore.com
|
||||
- https://www.sitecore.com
|
||||
classification:
|
||||
cpe: cpe:2.3:a:sitecore:cms:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
RTSP was detected.
|
||||
reference:
|
||||
https://nmap.org/nsedoc/scripts/rtsp-methods.html
|
||||
- https://nmap.org/nsedoc/scripts/rtsp-methods.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||
cwe-id: CWE-200
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.
|
||||
reference:
|
||||
- - https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://twitter.com/MichalKoczwara/status/1551639708949692416
|
||||
- https://poshc2.readthedocs.io/en/latest/
|
||||
metadata:
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.
|
||||
reference:
|
||||
https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
|
||||
- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,and serve as a collaborative command and control platform for red teamers.
|
||||
reference:
|
||||
https://twitter.com/MichalKoczwara/status/1548685058403360770
|
||||
- https://twitter.com/MichalKoczwara/status/1548685058403360770
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
DCRat uses a modular framework that deploys separate executables for each module, most of which are compiled . net binaries programmed in C#.
|
||||
reference:
|
||||
https://github.com/thehappydinoa/awesome-censys-queries#dcrat--
|
||||
- https://github.com/thehappydinoa/awesome-censys-queries#dcrat--
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.
|
||||
reference:
|
||||
https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
|
||||
- https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks.
|
||||
reference:
|
||||
https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,8 +7,8 @@ info:
|
||||
description: |
|
||||
Mythic is a multiplayer, command and control platform for red teaming operations
|
||||
reference:
|
||||
https://docs.mythic-c2.net
|
||||
https://www.team-cymru.com/post/mythic-case-study-assessing-common-offensive-security-tools
|
||||
- https://docs.mythic-c2.net
|
||||
- https://www.team-cymru.com/post/mythic-case-study-assessing-common-offensive-security-tools
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Orcus RAT is a type of malicious software program that enables remote access and control of computers and networks. It is a type of Remote Access Trojan (RAT) that has been used by attackers to gain access to and control computers and networks.
|
||||
reference:
|
||||
https://github.com/thehappydinoa/awesome-censys-queries#orcusrat--
|
||||
- https://github.com/thehappydinoa/awesome-censys-queries#orcusrat--
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
|
||||
reference:
|
||||
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
|
||||
- https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -7,7 +7,7 @@ info:
|
||||
description: |
|
||||
Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server
|
||||
reference:
|
||||
https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
|
||||
- https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
|
||||
@@ -5,7 +5,8 @@ info:
|
||||
author: pdteam
|
||||
description: A simple workflow that runs DNS based detection to filter hosts running Worksite and do further HTTP based check to confirm takeover.
|
||||
reference:
|
||||
- https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites
|
||||
- https://melbadry9.gitbook.io/blog/dangling-dns/xyz-services/ddns-worksites
|
||||
|
||||
workflows:
|
||||
- template: dns/worksites-detection.yaml
|
||||
subtemplates:
|
||||
|
||||
Reference in New Issue
Block a user